Sony’s Secret DRM and the Power of the Blogosphere

Sony BMG Music Entertainment placed Digital Rights Management (DRM) software onto its CDs in order to prevent people from copying the music on their computers. The software restricts the number of times that a person can copy a CD on his or her computer. According to a BBC article:

About 20 titles are thought to be using the XCP software and in May 2005 Sony said more than two million discs had been shipped using the technology. XCP is just one of several anti-piracy systems Sony is trying.

XCP only allows three copies of an album to be made and only allows the CD to be listened to on a computer via a proprietary media player. The hidden files are installed alongside the media player.

Sony had been using the software for about 8 months, until Mark Russinovich, a computer expert and blogger, discovered it and blogged about it on October 31, 2005.

The controversy started Monday after Windows expert Mark Russinovich posted a Web log report on how he found hidden files on his PC after playing a Van Zant CD. He also said it disabled his CD drive after he tried to manually remove it.

Russinovich made the discovery while running a program he had written for uncovering file-cloaking “RootKits.” In this case, the Sony program hid the anti-piracy software from view. Similar technology also has been used by virus and worm writers to conceal their code.

A firestorm quickly erupted over what appeared to be an attempt by the music company to retain control over its intellectual property by secretly installing hidden software on the PCs of unsuspecting customers.

Sony’s End User License Agreement (EULA) said that software will be installed into people’s computers, but it did not mention that it would be hidden or hard to delete.

According to the BBC article, there was reason for computer users to be concerned about the hidden files:

Mr Russinovich feared that diligent users trying to keep their systems clean of viruses could stumble across the hidden XCP files, delete them and inadvertently cripple their computer.

His worries were echoed by Mikko Hypponen, chief research officer at Finnish security firm F-Secure, who has been looking into XCP since he first came across it in late September.

“What we are scared of is when we find a new virus written by someone that relies on the fact that this [XCP] software is running on tens of thousands of computers around the world,” he said. “The rootkit would hide that virus from pretty much any anti-virus program out there.”

After Russinovich blogged about finding the Sony software, the blogosphere erupted into action. According to a Reuter’s article:

Within 24 hours, online tech-news sites including SlashDot and CNet had posted news about Russinovich’s account. And by November 2, Sony BMG had posted instructions on its own site (cp.sonybmg/xcp) for removing the DRM.

This incident raises a number of interesting issues.

First, to what extent are Sony’s disclosures about the software adequate? This could potentially be a violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030. I’m no expert here, but the Act prohibits different forms of unauthorized access to computers. For example the CFAA prohibits knowingly transmitting “a program, information, code, or command” or “intentionally access[ing] a protected computer without authorization” that causes damage to a protected computer. §1030(5)(A)(i).

Sony has the right to protect its music via DRM. Doing so may require the installation of client-side software. Sony has disclosed the install in the EULA. It seems like everything is legally kosher.

(One possible angle I haven’t seen addressed: when was the EULA presented, and what happened if a buyer balked at the EULA? In the context of a CD, it may be that the EULA wasn’t presented until after purchase. If the EULA doesn’t allow for a refund if the buyer doesn’t agree with its terms, the EULA disclosure may be too late from a legal standpoint).

According to the EULA:

As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.

Although this informs people that software will be installed into their computers, it doesn’t tell them much about the software, the fact that it is hidden, or the fact that it is very hard to remove or delete.

One issue is whether making the software hidden and difficult to delete constitutes “exceeding authorized access,” which is also prohibited under the CFAA. People may authorize limited access to their computers, but that doesn’t entitle one to have permanent access. If the software is hidden from view and extremely difficult to get rid of without causing damage, is it designed to stick around beyond what users are authorizing?

Second, how far can companies go in using DRM to protect their copyrights? This incident might very well run afoul of the law because Sony may not have made adequate disclosures to CD users. But what if Sony did clearly and explicitly disclose the facts about the software? Any potential CFAA violations would now be significantly harder to make.

Third, this incident displays the power of the blogosphere. Mark Russinovich’s post ignited an uproar across the blogosphere, the mainstream media picked up the story, and Sony quickly responded.

8 Responses

There’s a long (for internet time) history of failed and/or misguided attempts to implement DRMs in the music industry.

One feature of this that interests me is the apparently robust perception, held by the music copyright owners, that they need to engage in some degree of surreptitious behavior in implementing DRMs.

Is this because: (a) they believe this will make the DRM harder to crack (the “security through obscurity” fallacy); or (b) because they are afraid that consumers would resist DRMs if they knew all of the details about them? Or maybe they just have guilty consciences (doubtful)?

Ed Felten’s site has a nice discussion of some of the technical aspects of Sony’s actions.

I think there is an option “c”, which is that Sony is utterly clueless when it comes to computer users and software. I once had a Sony Minidisc player that I bought because, at the time, the only affordable alternative was a portable cd-player. Given that I wanted to use it when working out, and that the MD promised no skipping where the cd-player couldn’t, I went with the MD player and that was a serious mistake.

In the first place, no content is ever released onto MD, so you have to use your computer to record songs onto the MD. You had to use Sony’s prorpietary software AND compression to get it on there (ATRAC or something like that as I recall). The software was just the worst I had ever seen and remains so. It was clunky, slow, and unstable. When I looked around on the web, it seemed I was not the only one with problems like that. After Sony, its no wonder to me that Apple’s streamlined and stable iTunes platform caught on (not for me, I now use a small Flash MP3 player that I can use Media Player to write to). It’s my understanding that their software hasn’t gotten any better in that regard anyway (YMMV, given that satisfied people aren’t likely to talk about it, but lots of people still complain about it online).

All of that leads me to conclude that Sony is just obtuse in this area. I don’t think they were malicious, I just don’t think they had a clue what might happen (viruses infecting the DRM and being hidden).

One issue is whether making the software hidden and difficult to delete constitutes “exceeding authorized access,” which is also prohibited under the CFAA. People may authorize limited access to their computers, but that doesn’t entitle one to have permanent access. If the software is hidden from view and extremely difficult to get rid of without causing damage, is it designed to stick around beyond what users are authorizing?

The program goes on to do more. I’m no lawyer, but presumably “authorized access” would mean that the user would authorize this program to execute while the music player is active, at least only when the CD is in the drive. On the contrary, as Mark Russinovich reports, the program actually runs constantly, using 1-2% of the computer’s processing power at all times, apparently scanning every two seconds all the current processes running on the computer. This seems to me to go a lot beyond “authorized access”.

The fact that it disables the CD drive on deletion seems to be a significantly greater intrusion than that implied in the contract language you quote. In fact, had they not posted instructions to cleanly delete it, I’d have to say there’d be a class action for trespass to chattels…

Even with the EULA, how is this agreed to? Does it pop up whenever a CD is played on the computer? (Suppose one’s CD playing software doesn’t pop it up? Is there assent?) Eric’s analysis of the whole EULA-after-purchase issue seems spot on (ProCD notwithstanding). I don’t share much of Eric’s concern about Sotelo, however. All non-consensual software installation should be trespass to chattels, and if it causes damages, which non-malicious javascript/flash wouldn’t, it should be subject to liability.

Why isn’t there a simple piece of software that prevents software from being installed without explicit consent? How hard would it be to set a series of permissions for various saves to the hard drive, and then for those that don’t fall into that category (i.e. anything that modifies the windows registry files), demand user permission first? Has nobody written a utility like this yet? Hellooo… geeks..

I think the initial hurdle on a CFAA claim would be showing that Sony BMG “accesses” a computer when a user installs a program from a CD in the user’s physical possession. This is not an intuitive use of the word “access” (Sony BMG doesn’t “access” my house when I bring one of their CDs home) and I doubt it’s what Congress had in mind. What they had in mind was hackers.

“Causes … transmission” might be a slightly closer call, although I’m not sure installation from a CD should count as a transmission that the programmer causes. In any event, the user would have to prove Sony BMG “intentionally cause[d] damage” to the computer, which I doubt can be shown with respect to the installation itself, and anything other the installation was probably not “intentional.” Getting too broad with the CFAA would subject all sorts of software to its provisions, which I doubt many people really want.

Bruce (and Eric if you’re reading): What would be wrong with a flat out rule: “the distribution of any software whose known and serious detrimental effects on a user’s computer is not disclosed to that user subjects the distributor to tort liability” be a bad thing?

Perhaps I’ve been in Virginia too long. I’m begining to believe in this “property rights” stuff. There’s something deeply and fundaamentally wrong about turning someone’s own property traitor. It’s like the business with cell phone tracking, speed recorders in cars, etc. My property is mine, and no third party has a right to interfere it.

(Now if you’ll excuse me, I have to go back to the ranch and chew some tobaccy.)

Talk about a backfire. A brief update on a story I previously blogged about a week ago. Sony attempted to install hidden DRM software into the computers of its CD users. A blogger criticized the software, setting off a firestorm…

[…] in ways that can and will assist both the company and consumer – but don’t take it lightly. Millions can be lost by a vindictive lone blogger with enough time on their hands to orchestrate a public relations […]